We recently investigated a targeted attack against a device manufacturer, and in our analysis, we found that the malware deployed into the target network is a variant of a well-known backdoor, BIFROSE. BIFROSE has been around for many years now, highly available in the cybercriminal underground, and has been used for various cybercriminal activities.

One of the past incidents we saw use BIFROSE was the “Here you have” spam campaign from 2010. The attack targeted human resource (HR) personnel of government offices such as the African Union and the NATO. The incident is quite comparable to what we know now as targeted attacks or APTs, which makes it unsurprising that it is now being used for such.

The BIFROSE variant (detected as BKDR_BIFROSE.ZTBG-A and has the hash 5e2844b20715d0806bfa28bd0ebcba6cbb637ea1) used against the device manufacturer is able to do the following information stealing routines:

Download a file

Upload a file

Get file details (file size, last modified time)

Create a folder

Delete a folder

Open a file using ShellExecute

Execute a command line

Rename a file

Enumerate all windows and their process IDs

Close a window

Move a window to the foreground

Hide a window

Send keystrokes to a window

Send mouse events to a window

Terminate a process

Get display resolution

Upload contents of %Windows%\winieupdates\klog.dat

Capture screenshot or webcam image

Figure 1. BIFROSE administrator panel

Figure 2. BIFROSE taking a screenshot of an affected system

BIFROSE is mostly known for its keylogging routines, but it is capable of stealing far more information than just keystrokes. It can also send keystrokes and mouse events to windows, which means that the attacker may be able to conduct operations as the affected user without having to compromise their accounts. For example, the attacker can log into internal systems or even send messages to other users in the network. What makes this variant more elusive is its ability of Tor to communicate with its C&C.

Can This Be Traced?

Apart from detecting the malware itself through a security solution, IT administrators may be able to check for the existence of a BIFROSE variant in the network. One of the easiest is checking for the existence of the file klog.dat in systems — a file associated with the keylogging routines.

Lastly, having a solution that is equipped to detect possibly malicious activity will help IT admins be able to determine the existence of an attack. For example, since this variant uses Tor in communicating with its C&C server, being able to detect Tor activity within a network will help identify potential attacks within the network, among others.